From 212df8e0ee22c27b14fed9a151bd62d4e98cf170 Mon Sep 17 00:00:00 2001 From: Cedric-Magnan <43343135+Cedric-Magnan@users.noreply.github.com> Date: Wed, 18 May 2022 15:31:51 +0200 Subject: [PATCH 1/9] Update oauth2.go Signed-off-by: Cedric-Magnan --- server/oauth2.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/server/oauth2.go b/server/oauth2.go index bb0058a74a..3661934596 100644 --- a/server/oauth2.go +++ b/server/oauth2.go @@ -138,6 +138,10 @@ const ( responseTypeCode = "code" // "Regular" flow responseTypeToken = "token" // Implicit flow for frontend apps. responseTypeIDToken = "id_token" // ID Token in url fragment + responseTypeCodeToken = "code token" // "Regular" flow + Implicit flow + responseTypeCodeIDToken = "code id_token" // "Regular" flow + ID Token + responseTypeIDTokenToken = "id_token token" // ID Token + Implicit flow + responseTypeCodeIDTokenToken = "code id_token token" // "Regular" flow + ID Token + Implicit flow ) const ( From 791657276ec512845347610a171c2758460e0012 Mon Sep 17 00:00:00 2001 From: Cedric-Magnan <43343135+Cedric-Magnan@users.noreply.github.com> Date: Wed, 18 May 2022 15:38:36 +0200 Subject: [PATCH 2/9] Update server.go Signed-off-by: Cedric-Magnan --- server/server.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/server.go b/server/server.go index f23eb54b7c..6bb39ec384 100755 --- a/server/server.go +++ b/server/server.go @@ -218,9 +218,9 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) for _, respType := range c.SupportedResponseTypes { switch respType { - case responseTypeCode, responseTypeIDToken: + case responseTypeCode, responseTypeIDToken, responseTypeCodeIDToken: // continue - case responseTypeToken: + case responseTypeToken, responseTypeCodeToken, responseTypeIDTokenToken, responseTypeCodeIDTokenToken: // response_type=token is an implicit flow, let's add it to the discovery info // https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.1 supportedGrant = append(supportedGrant, grantTypeImplicit) From 7e4798a7a442a646de9d713a400f8228084793bc Mon Sep 17 00:00:00 2001 From: Cedric-Magnan Date: Wed, 1 Jun 2022 10:28:03 +0200 Subject: [PATCH 3/9] fix: linting with gofmt Signed-off-by: Cedric-Magnan --- server/oauth2.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/server/oauth2.go b/server/oauth2.go index 3661934596..94398c162c 100644 --- a/server/oauth2.go +++ b/server/oauth2.go @@ -135,12 +135,12 @@ const ( ) const ( - responseTypeCode = "code" // "Regular" flow - responseTypeToken = "token" // Implicit flow for frontend apps. - responseTypeIDToken = "id_token" // ID Token in url fragment - responseTypeCodeToken = "code token" // "Regular" flow + Implicit flow - responseTypeCodeIDToken = "code id_token" // "Regular" flow + ID Token - responseTypeIDTokenToken = "id_token token" // ID Token + Implicit flow + responseTypeCode = "code" // "Regular" flow + responseTypeToken = "token" // Implicit flow for frontend apps. + responseTypeIDToken = "id_token" // ID Token in url fragment + responseTypeCodeToken = "code token" // "Regular" flow + Implicit flow + responseTypeCodeIDToken = "code id_token" // "Regular" flow + ID Token + responseTypeIDTokenToken = "id_token token" // ID Token + Implicit flow responseTypeCodeIDTokenToken = "code id_token token" // "Regular" flow + ID Token + Implicit flow ) From ee39467ade12aa6dc6b69b0a8db3f0615f75f126 Mon Sep 17 00:00:00 2001 From: Benjamin FERNANDEZ Date: Tue, 18 Jul 2023 14:58:24 +0200 Subject: [PATCH 4/9] Add frame ancestor configuration for web app to prevent clickjacking --- cmd/dex/config.go | 1 + cmd/dex/serve.go | 4 ++++ server/server.go | 26 ++++++++++++++++++++++++++ 3 files changed, 31 insertions(+) diff --git a/cmd/dex/config.go b/cmd/dex/config.go index 831156fd40..8cd539707d 100644 --- a/cmd/dex/config.go +++ b/cmd/dex/config.go @@ -150,6 +150,7 @@ type Web struct { TLSCert string `json:"tlsCert"` TLSKey string `json:"tlsKey"` AllowedOrigins []string `json:"allowedOrigins"` + FrameAncestors []string `json:"frameAncestors"` } // Telemetry is the config format for telemetry including the HTTP server config. diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go index 47b090aeab..0de06a56e0 100644 --- a/cmd/dex/serve.go +++ b/cmd/dex/serve.go @@ -253,6 +253,10 @@ func runServe(options serveOptions) error { logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins) } + if len(c.Web.FrameAncestors) > 0 { + logger.Infof("config allowed frame ancestors: %s", c.Web.FrameAncestors) + } + // explicitly convert to UTC. now := func() time.Time { return time.Now().UTC() } diff --git a/server/server.go b/server/server.go index 444fb7e15a..57b2d57c0f 100644 --- a/server/server.go +++ b/server/server.go @@ -77,6 +77,11 @@ type Config struct { // domain. AllowedOrigins []string + // List of domain allowed to frame the content of the application. + // By default no one is accepted to prevent against clickjacking. + // Passing in "*" will allow any domain + FrameAncestors []string + // If enabled, the server won't prompt the user to approve authorization requests. // Logging in implies approval. SkipApprovalScreen bool @@ -339,7 +344,28 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) } } + + // frame-ancestors middleware + frameAncestorsMidldleware := func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + var ancestors string + if len(c.FrameAncestors) > 0 { + for i := 0; i < len(c.FrameAncestors); i++ { + if c.FrameAncestors[i] == issuerURL.String() { + c.FrameAncestors[i] = "'self'" + } + } + ancestors = strings.Join(c.FrameAncestors, " ") + } else { + ancestors = "'none'" + } + w.Header().Set("Content-Security-Policy", "frame-ancestors "+ancestors) + next.ServeHTTP(w, r) + }) + } + r := mux.NewRouter().SkipClean(true).UseEncodedPath() + r.Use(frameAncestorsMidldleware) handle := func(p string, h http.Handler) { r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h)) } From 542f7700746144dbbbb824441ed8207955ec5af1 Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:21:26 +0200 Subject: [PATCH 5/9] Update README.md Signed-off-by: Fernandez Benjamin --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 0067b0dcf3..338e5f9814 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,6 @@ ![logo](docs/logos/dex-horizontal-color.png) - Dex is an identity service that uses [OpenID Connect][openid-connect] to drive authentication for other apps. Dex acts as a portal to other identity providers through ["connectors."](#connectors) This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend. From 774370d94e7c566602b7886cbabdbc8740e193f7 Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:22:21 +0200 Subject: [PATCH 6/9] Update docker-image.yml Signed-off-by: Fernandez Benjamin --- .github/workflows/docker-image.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 8cf4db220d..b36af8f643 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -3,9 +3,7 @@ name: Create and publish a Docker image # Configures this workflow to run every time a change is pushed to the branch called `release`. on: push: - branches: ['release-orange'] - pull_request: - branches: ['release-orange'] + branches: ['release-orange-v2.37.0'] # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. env: @@ -45,5 +43,4 @@ jobs: with: context: . push: true - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 0f39eb7e701e8cee193f3d6b68e20464fac27a2b Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:33:00 +0200 Subject: [PATCH 7/9] Update docker-image.yml Signed-off-by: Fernandez Benjamin --- .github/workflows/docker-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index b36af8f643..b92faea5da 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -43,4 +43,5 @@ jobs: with: context: . push: true + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 2443945ad567f08f42d62871314ffade2f97569f Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 15:41:38 +0200 Subject: [PATCH 8/9] Update checks.yaml Signed-off-by: Fernandez Benjamin --- .github/workflows/checks.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 62d61b249b..cacebf8871 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -2,9 +2,11 @@ name: Checks on: push: - branches: ['release-orange'] + branches: + - '**' pull_request: - branches: ['release-orange'] + branches: + - '**' jobs: lint: From c42367b8ec8a78827cc4138e69a7c085c4b945bc Mon Sep 17 00:00:00 2001 From: Fernandez Benjamin Date: Tue, 25 Jul 2023 16:23:47 +0200 Subject: [PATCH 9/9] Update server.go Signed-off-by: Fernandez Benjamin --- server/server.go | 1 - 1 file changed, 1 deletion(-) diff --git a/server/server.go b/server/server.go index d27188f7ae..7d6e85ed5f 100644 --- a/server/server.go +++ b/server/server.go @@ -344,7 +344,6 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) } } - // frame-ancestors middleware frameAncestorsMidldleware := func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {